10 Feb, 2023

Untrusted Search Path

Vulnerability Assessment as a Service (VAaaS)

Tests systems and applications for vulnerabilities to address weaknesses.

An untrusted search path vulnerability occurs when an application is executing code from a location that is not properly protected, leading to a compromise of system security. This type of vulnerability occurs when an application is designed to search for shared libraries, executables, or other dependencies in directories specified in an environment variable or a configuration file, without properly verifying the authenticity of these directories.

Attackers can exploit an untrusted search path vulnerability by modifying the environment variable or configuration file to point to a directory controlled by the attacker. This allows the attacker to execute malicious code or install malware on the system, potentially leading to a compromise of sensitive data or complete control over the affected system.

Examples of vulnerable code on different programming languages

Pyton:

				
					import os
import sys

path = os.environ.get("MY_CUSTOM_PATH")
if path:
    sys.path.insert(0, path)

import library

				
			

In this Python code, the MY_CUSTOM_PATH environment variable is used to determine the location of a shared library. If the environment variable is set, its value is added to the beginning of the sys.path list, which is used to search for imports. This makes the code vulnerable to an untrusted search path vulnerability, because an attacker could set the MY_CUSTOM_PATH environment variable to a location containing a malicious version of the library module, which would be executed instead of the expected code.

C:

				
					#include <stdlib.h>
#include <stdio.h>
#include <dlfcn.h>

int main(int argc, char *argv[]) {
    char *library_path = getenv("MY_CUSTOM_PATH");
    if (library_path == NULL) {
        library_path = "/usr/lib";
    }

    void *handle = dlopen(library_path, RTLD_LAZY);
    if (handle == NULL) {
        printf("Failed to load library\n");
        return 1;
    }

    // Use the library...

    dlclose(handle);

    return 0;
}

				
			

In this C code, the MY_CUSTOM_PATH environment variable is used to determine the location of a shared library. If the environment variable is set, its value is used as the library path. If the environment variable is not set, the default path /usr/lib is used. This makes the code vulnerable to an untrusted search path vulnerability, because an attacker could set the MY_CUSTOM_PATH environment variable to a location containing a malicious version of the library, which would be executed instead of the expected code.

Java:

				
					import java.io.File;
import java.net.URL;
import java.net.URLClassLoader;

public class Main {
    public static void main(String[] args) {
        String libraryPath = System.getProperty("MY_CUSTOM_PATH");
        if (libraryPath == null) {
            libraryPath = "/usr/lib";
        }

        File libraryDirectory = new File(libraryPath);
        URL[] urls = {libraryDirectory.toURI().toURL()};
        URLClassLoader classLoader = new URLClassLoader(urls);

        try {
            Class<?> cls = classLoader.loadClass("Library");
            Object instance = cls.newInstance();

            // Use the library...
        } catch (Exception e) {
            System.err.println("Failed to load library");
        }
    }
}

				
			

In this Java code, the MY_CUSTOM_PATH system property is used to determine the location of a class file. If the property is not set, the default path /usr/lib is used. This makes the code vulnerable to an untrusted search path vulnerability, because an attacker could set the MY_CUSTOM_PATH system property to a location containing a malicious version of the Library class, which would be executed instead of the expected code.

Ruby:

				
					library_path = ENV["MY_CUSTOM_PATH"] || "/usr/lib"
$LOAD_PATH.unshift(library_path)

require "library"

				
			

In this Ruby code, the MY_CUSTOM_PATH environment variable is used to determine the location of a shared library. If the environment variable is set, its value is added to the beginning of the $LOAD_PATH list, which is used to search for required files. If the environment variable is not set, the default path /usr/lib is used. This makes the code vulnerable to an untrusted search path vulnerability, because an attacker could set the MY_CUSTOM_PATH environment variable to a location containing a malicious version of the library file, which would be executed instead of the expected code.

It is important to note that these are just examples and the actual vulnerability may vary depending on the specific implementation and context. It’s always a good idea to follow secure coding practices and validate any input from external sources, including environment variables and configuration files, to prevent untrusted search path vulnerabilities and other types of security vulnerabilities.

Examples of exploitation Untrusted Search Path vulnerabilities

  • Supply a malicious library: An attacker can supply a malicious library with the same name as the expected library, which is loaded in place of the legitimate library. This can result in the execution of arbitrary code with the permissions of the vulnerable program.

  • Trick the program into loading a library from a malicious location: An attacker can manipulate the environment variable or system property that specifies the library path, such that the program loads a library from a location controlled by the attacker. This can result in the execution of arbitrary code with the permissions of the vulnerable program.

  • Load a malicious library from a world-writable directory: If the vulnerable program loads libraries from a world-writable directory, an attacker could place a malicious library in that directory and have the vulnerable program load it.

  • Load a malicious library from a predictable location: An attacker can place a malicious library in a location that is predictable or discoverable by the attacker, and cause the vulnerable program to load it. This can result in the execution of arbitrary code with the permissions of the vulnerable program.

Privilege escalation techniques for Untrusted Search Path vulnerabilities

A privilege escalation is a situation where an attacker is able to elevate their privileges, such as accessing resources or executing code with higher privileges than they would normally have. In the context of untrusted search path vulnerabilities, privilege escalation can occur when an attacker is able to execute code with the privileges of the vulnerable program.

Here are a few techniques that an attacker could use to exploit an untrusted search path vulnerability for privilege escalation:

  1. Load a malicious library with elevated privileges: An attacker can create a malicious library with elevated privileges and trick the vulnerable program into loading it. This can allow the attacker to execute code with elevated privileges and potentially access sensitive information or perform actions on behalf of the vulnerable program.

  2. Load a malicious library that spawns a process with elevated privileges: An attacker can create a malicious library that launches a new process with elevated privileges and trick the vulnerable program into loading it. This can allow the attacker to execute code with elevated privileges and potentially access sensitive information or perform actions on behalf of the vulnerable program.

  3. Load a malicious library that replaces system libraries: An attacker can create a malicious library with the same name as a system library and place it in a location that the vulnerable program searches for libraries. This can cause the vulnerable program to load the malicious library in place of the expected system library. This can allow the attacker to execute code with elevated privileges and potentially access sensitive information or perform actions on behalf of the vulnerable program.

  4. Load a malicious library that modifies the environment: An attacker can create a malicious library that modifies the environment, such as the PATH or LD_LIBRARY_PATH environment variable, to include a directory containing a malicious library. This can cause the vulnerable program to load the malicious library instead of a system library, allowing the attacker to execute code with elevated privileges and potentially access sensitive information or perform actions on behalf of the vulnerable program.

General methodology and checklist for Untrusted Search Path vulnerabilities

The general methodology for identifying and mitigating untrusted search path vulnerabilities involves several steps:

  1. Identify sources of untrusted input: Identify all sources of input from external sources, including environment variables, configuration files, command-line arguments, and any other sources of data that can influence the library search path.

  2. Evaluate the impact of untrusted input: Evaluate the impact of each source of untrusted input on the library search path, and determine whether an attacker could potentially manipulate the input to influence the search path.

  3. Validate input: Validate any input from external sources, including environment variables and configuration files, to ensure that only trusted values are used to determine the library search path.

  4. Limit search path to trusted locations: Limit the library search path to trusted locations, and avoid adding untrusted directories to the search path.

  5. Use secure coding practices: Use secure coding practices, such as input validation and error handling, to mitigate the risk of untrusted search path vulnerabilities.

  6. Regularly review and update code: Regularly review and update code to ensure that new untrusted search path vulnerabilities are not introduced, and that existing vulnerabilities are properly mitigated.

Tools set for exploiting Untrusted Search Path vulnerabilities

Manual tools:

• Burp Suite: A popular web application security testing tool that includes several plugins for identifying and exploiting untrusted search path vulnerabilities.
• OWASP ZAP: An open-source web application security scanner that can be used to identify and exploit untrusted search path vulnerabilities.
• HTTP Debugger: A tool for capturing, analyzing, and manipulating HTTP traffic, which can be used to identify untrusted search path vulnerabilities.
• Netcat: A simple and versatile tool for network communication, which can be used to manipulate network traffic and identify untrusted search path vulnerabilities.
• curl: A command-line tool for sending HTTP requests, which can be used to manipulate network traffic and identify untrusted search path vulnerabilities.
• Wireshark: A network protocol analyzer that can be used to capture, analyze, and manipulate network traffic, and identify untrusted search path vulnerabilities.
• sqlmap: An open-source tool for automating SQL injection attacks, which can be used to manipulate input and identify untrusted search path vulnerabilities.
• Metasploit: An open-source framework for developing and executing exploits, which can be used to exploit untrusted search path vulnerabilities.
• nmap: An open-source tool for network exploration, security scanning and management, which can be used to identify untrusted search path vulnerabilities by scanning network resources and identifying misconfigurations.
• Fuzzing tools: Tools for testing software by sending unexpected or random inputs to the application, which can be used to identify untrusted search path vulnerabilities by identifying unexpected behaviors in the application.

Automatic tools:

• Microsoft Threat Detection and Response (MDATP): A cloud-based security solution that uses AI and machine learning to detect and respond to security threats, including untrusted search path vulnerabilities.
• Symantec Endpoint Protection: An endpoint security solution that includes protection against untrusted search path vulnerabilities and other security threats.
• McAfee Total Protection: An antivirus solution that provides real-time protection against untrusted search path vulnerabilities and other security threats.
• Kaspersky Endpoint Security: An endpoint security solution that provides protection against untrusted search path vulnerabilities and other security threats.
• Trend Micro OfficeScan: An endpoint security solution that provides protection against untrusted search path vulnerabilities and other security threats.
• SANS Penetration Testing: An online course and certification program that teaches the skills and techniques needed to identify and exploit untrusted search path vulnerabilities.
• OWASP Top Ten: An online project that provides a list of the top 10 web application security risks, including untrusted search path vulnerabilities.
• Veracode: A cloud-based platform for automating security testing and vulnerability management, including the identification and mitigation of untrusted search path vulnerabilities.
• Rapid7: A security solutions provider that offers a range of tools and services for identifying and mitigating untrusted search path vulnerabilities.
• Qualys: A cloud-based platform for automating security testing and vulnerability management, including the identification and mitigation of untrusted search path vulnerabilities.

Average CVSS score of Untrusted Search Path vulnerabilities

The Common Vulnerability Scoring System (CVSS) is a widely-used industry standard for assessing the severity of security vulnerabilities, including untrusted search path vulnerabilities. The CVSS score for a specific vulnerability is calculated based on several factors, including the scope of the vulnerability, the impact of the vulnerability, and the ease of exploitation.

The average CVSS score for untrusted search path vulnerabilities can vary greatly, depending on the specific vulnerability and the factors that contribute to its severity. Some untrusted search path vulnerabilities may have a low CVSS score, indicating a relatively low risk, while others may have a high CVSS score, indicating a significant risk.

In general, untrusted search path vulnerabilities can be considered medium- to high-risk vulnerabilities, depending on the specific vulnerability and the environment in which it is present. To determine the CVSS score for a specific untrusted search path vulnerability, it is important to consider all relevant factors and to use a comprehensive vulnerability assessment tool, such as CVSS.

The Common Weakness Enumeration (CWE)

The Common Weakness Enumeration (CWE) is a comprehensive list of software weaknesses, including untrusted search path vulnerabilities. Here are the top 10 CWEs related to untrusted search path vulnerabilities:

  1. CWE-426: Untrusted Search Path: This vulnerability occurs when an application relies on untrusted search paths to locate resources, such as DLLs or libraries, that are executed with the same privileges as the application.

  2. CWE-427: Uncontrolled Search Path Element: This vulnerability occurs when an application does not properly control the search path used to locate resources, such as DLLs or libraries, which can result in the execution of malicious code.

  3. CWE-427: Improper Control of Load Order: This vulnerability occurs when an application does not properly control the order in which resources are loaded, which can result in the execution of malicious code.

  4. CWE-428: Unquoted Search Path or Element: This vulnerability occurs when an application does not properly quote search path elements, which can result in the execution of malicious code located in directories that are named in a way that takes advantage of the vulnerability.

  5. CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’): This vulnerability occurs when an application uses untrusted input to build a pathname that is intended to be restricted to a limited directory hierarchy, but is not properly validated.

  6. CWE-427: Unchecked Return Value: This vulnerability occurs when an application does not properly check the return value of a function that is used to locate resources, such as DLLs or libraries, which can result in the execution of malicious code.

  7. CWE-426: Inclusion of Functionality from Untrusted Control Sphere: This vulnerability occurs when an application includes functionality from a source that is outside of the control of the application, such as a library or DLL, which can result in the execution of malicious code.

  8. CWE-427: Resource Management Errors: This vulnerability occurs when an application does not properly manage resources, such as memory, which can result in the execution of malicious code.

  9. CWE-426: Trusting Self-reported DNS Names: This vulnerability occurs when an application trusts self-reported DNS names, which can result in the execution of malicious code.

  10. CWE-427: Improper Neutralization of Special Elements used in a Library Name (‘Library Injection’): This vulnerability occurs when an application does not properly neutralize special elements that are used in library names, which can result in the execution of malicious code.

Untrusted Search Path exploits

Untrusted search path exploits are attacks that take advantage of vulnerabilities in the way an application locates and executes resources, such as DLLs or libraries. These attacks can occur when an application relies on an untrusted search path to locate resources, or when an application does not properly control the search path used to locate resources.

There are several common types of untrusted search path exploits, including:

  1. DLL hijacking: This exploit occurs when an attacker provides a malicious DLL with the same name as a legitimate DLL that is expected by an application. When the application searches for the DLL, it will load the malicious DLL instead of the legitimate one, allowing the attacker to execute malicious code.

  2. Library injection: This exploit occurs when an attacker provides a malicious library with the same name as a legitimate library that is expected by an application. When the application searches for the library, it will load the malicious library instead of the legitimate one, allowing the attacker to execute malicious code.

  3. Path traversal: This exploit occurs when an attacker provides a pathname that includes “..” sequences, which are used to traverse the directory hierarchy. When the application uses the provided pathname to locate resources, it may access files or directories that are outside of the intended search path, allowing the attacker to execute malicious code.

  4. Dynamic link library preloading (also known as binary planting): This exploit occurs when an attacker provides a malicious DLL with the same name as a legitimate DLL that is expected by an application. When the application starts, it will load the malicious DLL before it loads the legitimate DLL, allowing the attacker to execute malicious code.

Practicing in test for Untrusted Search Path vulnerabilities

There are several ways to practice identifying and testing for untrusted search path vulnerabilities in a controlled environment, such as:

  1. Set up a test environment: Create a virtual machine or sandbox environment that you can use to test your applications and tools. This environment should be isolated from your production network and should not contain sensitive data or systems.

  2. Scan your applications: Use automated tools such as static code analyzers or dynamic application security testing (DAST) tools to scan your applications for known untrusted search path vulnerabilities. You can also perform manual code reviews to identify potential issues.

  3. Test with malicious DLLs: Try to replace legitimate DLLs with malicious ones to see if your applications are vulnerable to DLL hijacking. You can use a tool like Metasploit to create a malicious DLL.

  4. Test with malicious libraries: Try to replace legitimate libraries with malicious ones to see if your applications are vulnerable to library injection. You can use a tool like Metasploit to create a malicious library.

  5. Test for path traversal: Try to access files or directories outside of the intended search path by providing pathnames that include “..” sequences. You can use a tool like Burp Suite or OWASP ZAP to automate this test.

  6. Test for dynamic link library preloading: Try to load a malicious DLL before a legitimate DLL by naming the malicious DLL with the same name as the legitimate DLL. You can use a tool like Metasploit to create a malicious DLL.

  7. Remediate vulnerabilities: If you identify any untrusted search path vulnerabilities, implement remediation steps to address the issue. This may include modifying the code, changing configuration settings, or applying patches.

Practicing identifying and testing for untrusted search path vulnerabilities in a controlled environment can help you better understand the risks associated with these types of vulnerabilities and improve your ability to detect and prevent attacks.

For study Untrusted Search Path vulnerabilities

There are several resources available for studying untrusted search path vulnerabilities:

  1. Books: Books on secure coding practices, software security, and computer security can provide a comprehensive overview of untrusted search path vulnerabilities and how to prevent them.

  2. Websites: Websites such as the Open Web Application Security Project (OWASP) and the Common Vulnerabilities and Exposures (CVE) database provide up-to-date information on known untrusted search path vulnerabilities and the latest techniques for exploiting them.

  3. Online courses: Online courses and certifications on software security, secure coding practices, and penetration testing can provide hands-on experience with identifying and testing for untrusted search path vulnerabilities.

  4. Conferences: Attending security conferences and workshops can provide opportunities to learn about untrusted search path vulnerabilities from experts in the field and network with other security professionals.

  5. Research papers: Reading research papers on software security, secure coding practices, and computer security can provide a deeper understanding of the technical details of untrusted search path vulnerabilities and the latest techniques for exploiting and mitigating them.

By utilizing these resources, you can gain a comprehensive understanding of untrusted search path vulnerabilities, how they work, and the best practices for preventing and remedying them.

Books with review of Untrusted Search Path vulnerabilities

Here are some books that provide a comprehensive overview of untrusted search path vulnerabilities and their impact on software security:

  1. “Secure Coding: Principles and Practices” by Mark G. Graff and Kenneth R. van Wyk – This book provides a comprehensive overview of software security and includes a section on untrusted search path vulnerabilities and how to prevent them.

  2. “The Web Application Hacker’s Handbook: Discovering and Exploiting Security Flaws” by Dafydd Stuttard and Marcus Pinto – This book provides a practical guide to finding and exploiting security flaws in web applications and includes a section on untrusted search path vulnerabilities.

  3. “Black Hat Python: Python Programming for Hackers and Pentesters” by Justin Seitz – This book provides a comprehensive overview of Python programming for security professionals and includes a section on exploiting untrusted search path vulnerabilities.

  4. “Hacking: The Art of Exploitation” by Jon Erickson – This book provides a comprehensive overview of computer security and includes a section on exploiting untrusted search path vulnerabilities.

  5. “Penetration Testing: A Hands-On Introduction to Hacking” by Georgia Weidman – This book provides a comprehensive introduction to penetration testing and includes a section on identifying and exploiting untrusted search path vulnerabilities.

These books provide a comprehensive overview of untrusted search path vulnerabilities and the impact they have on software security. They are great resources for both security professionals and developers looking to improve their understanding of these types of vulnerabilities.

List of payloads Untrusted Search Path vulnerabilities

Untrusted search path vulnerabilities can be exploited using a variety of payloads, including malicious DLLs, malicious executables, and malicious scripts. Here is a list of some common payloads used to exploit untrusted search path vulnerabilities:

  1. Malicious DLLs – A malicious DLL is a dynamic-link library file that contains malicious code that is executed when the DLL is loaded.

  2. Malicious executables – A malicious executable is a standalone program that contains malicious code that is executed when the program is run.

  3. Malicious scripts – A malicious script is a program written in a scripting language such as JavaScript, VBScript, or PowerShell. The script is executed by an interpreter and can be used to execute malicious code on the target system.

  4. Backdoor payloads – A backdoor payload is a program that creates a hidden entry point into the target system that can be used to bypass normal authentication and access controls.

  5. Rootkit payloads – A rootkit payload is a program that is used to hide the presence of malicious code on a target system by modifying the system’s kernel or other low-level system components.

  6. Remote access trojans (RATs) – A remote access trojan is a type of malware that allows an attacker to remotely control the target system.

  7. Worms – A worm is a self-replicating program that spreads from one system to another through a network.

How to be protected from Untrusted Search Path vulnerabilities

Here are some firewall rules and Sigma rules that can be used to block or stop untrusted search path vulnerabilities:

Firewall rules:

  1. Block execution of files from untrusted directories – This rule blocks execution of files from directories that are not explicitly trusted.

  2. Block execution of files with untrusted extensions – This rule blocks execution of files with extensions that are associated with malicious files, such as .exe or .dll.

  3. Block execution of files from network shares – This rule blocks execution of files from network shares, as they are often used to distribute malicious files.

  4. Block execution of files from removable drives – This rule blocks execution of files from removable drives, such as USB drives, as they are often used to distribute malicious files.

Sigma rules:

  1. Detect execution of files from untrusted directories – This rule detects execution of files from directories that are not explicitly trusted.

  2. Detect execution of files with untrusted extensions – This rule detects execution of files with extensions that are associated with malicious files, such as .exe or .dll.

  3. Detect execution of files from network shares – This rule detects execution of files from network shares, as they are often used to distribute malicious files.

  4. Detect execution of files from removable drives – This rule detects execution of files from removable drives, such as USB drives, as they are often used to distribute malicious files.

These firewall rules and Sigma rules can be used to block or detect untrusted search path vulnerabilities and help to prevent malicious code from being executed on the target system. It is important for security professionals and administrators to implement these types of rules and to regularly review and update them to ensure that they are up-to-date and effective.

Mitigations for Untrusted Search Path vulnerabilities

  1. Use environment variables to define the search path – This method involves setting the environment variables to explicitly define the search path that the application should use. This helps to prevent malicious files from being loaded into the application.

  2. Use a trusted search path – When an application is installed, it should be installed in a trusted directory, such as the program files directory, to ensure that it uses a trusted search path.

  3. Sign and verify digital signatures of libraries and executables – This method involves using digital signatures to verify the authenticity and integrity of libraries and executables. Digital signatures can be used to verify that the code has not been tampered with and to prevent malicious code from being executed.

  4. Enable ASLR (Address Space Layout Randomization) – This method involves using a technique called address space layout randomization to randomly arrange the address space of a process. This makes it more difficult for attackers to predict where code or data is located in memory and can help to prevent attacks.

  5. Enable DEP (Data Execution Prevention) – This method involves using a technique called data execution prevention to prevent code from being executed in memory regions that are not intended to contain code. This helps to prevent attackers from executing malicious code.

  6. Use code signing certificates – This method involves using code signing certificates to verify the authenticity and integrity of code. Code signing certificates can be used to verify that the code has not been tampered with and to prevent malicious code from being executed.

  7. Conduct regular security audits – This method involves conducting regular security audits to identify and address potential security vulnerabilities in an application. Security audits should be performed by trained security professionals who have the necessary knowledge and experience to identify potential security issues.

These mitigation techniques can be used to reduce the risk of untrusted search path vulnerabilities and to help prevent malicious code from being executed on a target system. It is important for security professionals and developers to be familiar with these techniques and to implement them in their applications and systems.

Conclusion

To mitigate the risk of untrusted search path vulnerabilities, it is important for security professionals and developers to understand the underlying causes of these vulnerabilities and to implement mitigation techniques, such as using environment variables to define the search path, using a trusted search path, signing and verifying digital signatures of libraries and executables, enabling ASLR and DEP, and conducting regular security audits.

In conclusion, untrusted search path vulnerabilities are a serious security concern, and it is important for organizations to take steps to mitigate the risk of these vulnerabilities and to protect their systems and data from malicious attacks.

Other Services

Ready to secure?

Let's get in touch